For Your Eyes Only: A Review of Developments in Cybersecurity and Data Privacy Law NCHER 2018 Fall Legal Meeting October 5, 2018 Hinshaw & Culbertson | Chicago, Illinois

Presentation Outline New York DFS Cybersecurity Rules EU General Data Protection Regulation California Consumer Privacy Act of 2018 Data Breach Notification Laws Enforcement Matters Reg. P Amendments

NY DFS Cybersecurity Rules Cybersecurity Rule, 23 NYCRR Part 500, applicable to “covered entities” Effective March 1, 2017, with various compliance deadlines September 3, 2018 – Sections 500.06 (audit trails), 500.08 (application security), 500.13 (limitation on data retention), 500.14(a) (regular monitoring) and 500.15 (encryption of nonpublic information) March 1, 2019 – Section 500.11 (third-party service provider security policy)

EU GDPR – Scope GDPR, effective May 25, 2018, applies to: “the processing of personal data of data subjects who are in the [EU] by a controller or processor not established in the [EU], where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the [EU]; or (b) the monitoring of their behaviour as far as their behaviour takes place within the [EU].” GDPR Art. 3.2.

EU GDPR – Requirements Consent Requirements Required Disclosures When Collecting Personal Data Right of Access Right to Rectification Right to Be Forgotten Right to Restriction of Processing Right to Data Portability Data Security Requirements Data Breach Procedures

CA Consumer Privacy Act Cal. Civ. Code §§ 1798.100 et seq. Enacted on June 28, 2018, effective January 1, 2020 S.B. 1121 CA AG regulations on or before January 1, 2020 CA AG cannot bring an enforcement action until the earlier of July 1, 2020 or 6 months after publication of the final regulations

CA Consumer Privacy Act Scope Applies to “businesses” that collect “personal information” regarding California residents Annual gross revenue in excess of $25m Exemptions Comply with federal, state, or local laws, or subject to GLBA

CA Consumer Privacy Act Requirements and Rights Right to know what personal information is being collected, whether personal information is sold or disclosed, and to whom Right to “opt-out” of sale of certain personal information Right “to be forgotten” Right to equal service and price

Data Breach Notification Laws State Law Developments Alabama Data Breach Notification Act of 2018, Ala. Code § 8-19F-1 Arizona, H.B. 2154 Colorado, H.B. 18-1128 Connecticut, S.B. 472 Oregon, S.B. 1551 South Dakota, S.D. Codified Laws, Chapter 22-40 (S.B. 62)

Data Breach Notification Laws Federal Developments Economic Growth, Regulatory Relief, and Consumer Protection Act (2018), Sec. 301 Treasury Dep’t Report, “A Financial System That Creates Economic Opportunities Nonbank Financials, Fintech, and Innovation” (July 2018) Consumer Information Notification Requirement Act (Rep. Luetkemeyer, H.R. 6743)

Enforcement Matters Federal Enforcement State Enforcement Actions LabMD, Inc. v. FTC (11th Cir. June. 6, 2018) State Enforcement Actions State of Pennsylvania v. Uber State of Washington v. Motel 6

Reg. P Amendments – Privacy Notices FAST Act of 2015 GLBA § 503(f) Financial institutions that meet certain conditions are not required to provide annual privacy notices to customers CFPB implementing regulations (Aug. 17, 2018) 83 Fed. Reg. 40945 Effective Sept. 17, 2018

Questions?

Contact Information Peter Cockrell Associate, Washington, DC McGlinchey Stafford (202) 802-9954 pcockrell@mcglinchey.com